CVE-2022-23647
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-23647
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23647.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-23647
- Aliases
- Downstream
- Published
- 2022-02-18T14:50:10Z
- Modified
- 2025-10-30T20:00:50.801479Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L CVSS Calculator
- Summary
- Cross-site Scripting in Prism
- Details
-
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
- Database specific
{ "cwe_ids": [ "CWE-79" ] }- References